Random URL Crack
I'm developing a web application that has to include a "code" in the URL. The code is a randomly generated, 16-character string.
This is an example:
http://www.myserver.com/page.htm?id=userid&code=aDYHnP5%5eOT9EJS8T
Assume the following:
- You know the userid.
- You know the code is 16 characters.
- There are no restrictions to the number of times you could hit the URL.
Could anyone tell me how long it might take to break the code and access the contents of this URL. I'm not sure how challenging this is and would love some experienced input.
well, lets say you brute forced the URL (which would be the only option)..
say you are bruting at 3 attemtps a second. you have 9999999999999999 possibly combinations.
So, it sould take about 10598968 years to brute force every combination.
Not to mention you could add a quick anti brute force script using sessions. i.e.. Every false attempt you add 1 to a session number… if session number > 5 then die("wait for session to clear")
simple. So i think your script is pretty safe.
well its 18 characters long, you have 16 letters * 2 for caps, plus 10 digits, including say 10 special chatrers ., &, / ? etc. you have 52, and 18 of then so thats 52^18 as cheese says 3/second you have (52^18)/3 /60 /60 /24 /365.25 =8.2^22 years. if you dont know tahts gigantic. [EDIT] There are 26 letters not 16 :p [/EDIT]
Hmm, are we allowed parallel sessions, and do we have to come from only 1 host?
Also, is the string really random, or just psuedo random (like a PNG)? If its psuedo random, it may be possible to view a few thousand valid strings and then make a few guesses to get the real one.
But like Mr_Cheese and wolfmankurd said, if you're coming from only one host with one connection, it would take an inordinate amount of time.
The "code" portion of the URL included some URL-encoded characters – that's why the code appeared longer than 16 characters.:) However, even with that, I think I get the idea that this random approach would be tough to break.
Thanks for the feedback.
p.s. - Parallel hits would be allowed, but I think at some point firewall alarms would be triggered.